'INFECTED' => 'malware',
'BANNED' => 'bannedname',
'UNCHECKED' => 'unchecked',
+ 'UNCHECKED-ENCRYPTED' => 'unchecked',
'SPAM' => 'spam',
'SPAMMY' => 'spammy',
'BAD-HEADER' => 'badheader',
push @ignore_list_final, qr/^Inserting header field: X-Amavis-Hold: /;
push @ignore_list_final, qr/^Decoding of .* failed, leaving it unpacked: /;
+ push @ignore_list_final, qr/^File::LibMagic::describe_filename failed on p\d+: /;
# various forms of "Using ..."
# more specific, interesting variants already captured: search "Using"
or ($p1 =~ /^SpamControl/)
or ($p1 =~ /^Perl/)
or ($p1 =~ /^ESMTP/)
+ or ($p1 =~ /^UTF8SMTP/)
or ($p1 =~ /^(?:\(!+\))?(\S+ )?(?:FWD|SEND) from /) # log level 4
or ($p1 =~ /^(?:\(!+\))?(\S+ )?(?:ESMTP|FWD|SEND) via /) # log level 4
or ($p1 =~ /^tempdir being removed/)
#XXX elsif (($action, $key, $ip, $from, $to) = ( $p1 =~ /^(?:Virus found - quarantined|(?:(Passed|Blocked) )?INFECTED) \(([^\)]+)\),[A-Z .]*(?: \[($re_IP)\])?(?: \[$re_IP\])* [<(]([^>)]*)[>)] -> [(<]([^(<]+)[(>]/o ))
# the first IP is the envelope sender.
- if ($p1 !~ /^(CLEAN|SPAM(?:MY)?|INFECTED \(.*?\)|BANNED \(.*?\)|BAD-HEADER(?:-\d)?|UNCHECKED|MTA-BLOCKED|OVERSIZED|OTHER|TEMPFAIL)(?: \{[^}]+})?, ([^[]+ )?(?:([^<]+) )?[<(](.*?)[>)] -> ([(<].*?[)>]), (?:.*Hits: ([-+.\d]+))(?:.* size: (\d+))?(?:.* autolearn=(\w+))?/) {
+ if ($p1 !~ /^(CLEAN|SPAM(?:MY)?|INFECTED \(.*?\)|BANNED \(.*?\)|BAD-HEADER(?:-\d)?|UNCHECKED|UNCHECKED-ENCRYPTED|MTA-BLOCKED|OVERSIZED|OTHER|TEMPFAIL)(?: \{[^}]+})?, ([^[]+ )?(?:([^<]+) )?[<(](.*?)[>)] -> ([(<].*?[)>]), (?:.*Hits: ([-+.\d]+))(?:.* size: (\d+))?(?:.* autolearn=(\w+))?/) {
inc_unmatched('passblock');
next;
}